Prosecute Burger King for Their Illegal Google Home Attacks in Their Ads

Someone — or more likely a bunch of someones — at Burger King and their advertising agency need to be arrested, tried, and spend some time in shackles and prison cells. They’ve likely been violating state and federal cybercrime laws with their obnoxious ad campaign purposely designed to trigger Google Home devices without the permission of those devices’ owners.

Not only has Burger King admitted that this was their purpose, they’ve been gloating about changing their ads to avoid blocks that Google reportedly put in place to try protect Google Home device owners from being subjected to Burger King’s criminal intrusions.

For example, the federal CFAA (Computer Fraud and Abuse Act) broadly prohibits anyone from accessing a computer without authorization. There’s no doubt that Google Home and its associated Google-based systems are computers, and I know that I didn’t give Burger King permission to access and use my Google Home or my associated Google account. Nor did millions of other users. And it’s obvious that Google didn’t give that permission either. Yet the morons at Burger King and their affiliated advertising asses — in their search for social “buzz” regarding their nauseating fast food products — felt no compunction about literally hijacking the Google Home systems of potentially millions of people, interrupting other activities, and ideally (that is, ideally from their sick standpoint) interfering with people’s home environments on a massive scale.

This isn’t a case of a stray “Hey Google” triggering the devices. This was a targeted, specific attack on users, which Burger King then modified to bypass changes that Google apparently put in place when word of those ads circulated earlier.

Burger King has instantly become the “poster child” for mass, criminal abuse of these devices. And with their lack of consideration for the sanctity of people’s homes, we might assume that they’re already making jokes about trying to find ways to bill burgers to your credit card without your permission as well. For other dark forces watching these events, this idea could be far more than a joke.

While there are some humorous aspects to this situation — like the anti-Burger King changes made on Wikipedia in response to news of these upcoming ads — the overall situation really isn’t funny at all.

In fact, it was a direct and voluntary violation of law. It was accessing and using computers without permission. Whether or not anyone associated with this illicit stunt actually gets prosecuted is a different matter, but I urge the appropriate authorities to seriously explore this possibility, both for the action itself and relating to the precedent it created for future attacks.

And of course, don’t buy anything from those jerks at Burger King. Ever.

I’m not sure one can successfully argue engaging in 1st Amendment protected free speech is a criminal act. Secondly, since Google Home by design does not authenticate users and will respond to anyone speaking to it, it is unclear how one can support the argument that Burger King engaged in unauthorized access.

There are plenty of circumstances where speech isn’t free, the cliche’d “yelling fire in a crowded theatre” being the most familiar. This ad was intended to trigger the devices. So it was a willful act of interacting with client’s devices.

What if someone was just about to pick up their phone to dial 911, and the ad came on the TV, and the “ok google” triggered it into listening mode, which briefly interfered with their phone call and caused them to die? This is why you don’t touch other people’s stuff without permission, physically or otherwise.

Also the “appropriate authorities” comment… while there may be some federal agencies that feel the need to look into this, I think it’s more likely that a class action suit would have to happen. The “appropriate authority” is a laywer.

Of course free speech (whether viewed in terms of the first amendment or not) has no applicability when it comes to accessing and using individuals’ computer equipment and accounts without explicit permission. Authentication systems being present is not a required predicate — it is illegal to access systems without permission whether or not they have any authentication whatsoever. Intent matters, so truly accidental access would typically not trigger this law. It is difficult to imagine a scenario under which any reasonable jury would agree with the premise that owners of Google Home intended for any advertiser or other entity with access to broadcast networks to take control of their Google Home and use their associated Google account. But even more to the point, the case for the prosecution gets even stronger if the perpetrator takes specific, intentional actions to bypass mechanisms that were deployed in an effort to keep them out. And in fact, that’s reportedly exactly what happened in this instance, and Burger King has openly gloated about this. Q.E.D.

That’s not clear, and is one reason why I view this as better focused as a comparatively straightforward criminal mass computer intrusion offense, particularly after Burger King made specific efforts to circumvent the blocks that Google reportedly put in place in an attempt to keep them out. This shows that BK knew they were not welcome, and chose to break in anyway.

A few questions. First, is there any protection for a Google Home device which Burger King is circumventing? That’s the primary standard for the application of the CFAA. Second, is a Google Home device a computer or a radio? Processing is done on the backend like most web services. Third, if a neighbor yells a command to their Google Home and the command triggers yours, did they violate the CFAA? What about a visitor to your house who guesses you might have one. How about a movie where a character within a scene issues a command to their Google Home and you watch that movie in your home? Although I understand the frustration, I’m pretty sure any prosecution would be stumped when trying to determine if in fact a law was violated.

Please see my reply to a comment above for more details regarding the applicability of the CFAA in this instance. Briefly, the presence (or lack thereof) of authentication is not a predicate for invoking the CFAA. An important element is intention. Accidental triggering would not likely be in scope. However, in this instance, we have clearly intentional triggering, made even more blatant by Burger King’s admitted actions to purposely attempt to circumvent access blocks that Google reportedly put in place to try block BK’s access attempts. That’s pretty damning from a legal standpoint. The associated definition of computer devices is very broad, and Google Home clearly falls into that scope, in multiple ways, not the least of which is the fact that all hotword (trigger phrase) processing takes place solely on the Google Home unit itself.

Yes, they had intent and it doesn’t meet any of the conditions spelled out in the CFAA. It is true “authentication” doesn’t need to be involved. For the non-government conditions in the CFAA, all of them require either actual damage and/or loss, attempt at fraud for or actual transmission of something of value, of transfer of information from a “protected computer” (which the recitation of the summary of the Whopper’s Wikipedia article clearly doesn’t qualify as).

At least two of those conditions are met in this case. Obviously, Burger King considered the accessing of Google Home and associated back end systems, then forcing persons in earshot to hear that Wikipedia entry, to be of notable commercial value. The speaking out loud of that material was the “something of value” in this instance. They gloated about it publicly, saying that they had created valuable social buzz. Advertising has immense financial value to BK, and in this case they literally hijacked users’ devices and Google accounts — after Google reportedly took specific steps to try keep them out — for valuable commercial purposes. Also, protected computers are clearly involved, since Google Home will not operate without being linked to a protected Google account, and Burger King was not authorized to use those accounts by Google Home users or Google — quite the opposite, given Google’s reported efforts to block BK’s attack.

The first time they can say there was no protection they evaded. But when the ad was changed to circumvent the “do not trigger on the ad” that google put in place they started to actively circumvent protection measures.